Patchwork [05/17] checkpolicy: new package

login
register
mail settings
Submitter Clayton Shotwell
Date Sept. 4, 2013, 11:09 p.m.
Message ID <1378336196-27403-6-git-send-email-clshotwe@rockwellcollins.com>
Download mbox | patch
Permalink /patch/272759/
State Superseded
Headers show

Comments

Clayton Shotwell - Sept. 4, 2013, 11:09 p.m.
Signed-off-by: Clayton Shotwell <clshotwe@rockwellcollins.com>
---
 package/Config.in                  |    1 +
 package/checkpolicy/Config.in      |   11 ++++++
 package/checkpolicy/checkpolicy.mk |   71 ++++++++++++++++++++++++++++++++++++
 3 files changed, 83 insertions(+), 0 deletions(-)
 create mode 100644 package/checkpolicy/Config.in
 create mode 100644 package/checkpolicy/checkpolicy.mk
Thomas Petazzoni - Sept. 6, 2013, 5:56 p.m.
Dear Clayton Shotwell,

On Wed, 4 Sep 2013 18:09:44 -0500, Clayton Shotwell wrote:

> --- /dev/null
> +++ b/package/checkpolicy/Config.in
> @@ -0,0 +1,11 @@
> +config BR2_PACKAGE_CHECKPOLICY
> +	bool "checkpolicy"
> +	select BR2_PACKAGE_FLEX
> +	help
> +	  checkpolicy is the policy compiler. It uses libsepol to 
> +	  generate the binary policy. checkpolicy uses the static 
> +	  libsepol since it deals with low level details of the policy 
> +	  that have not been encapsulated/abstracted by a proper 
> +	  shared library interface. 
> +	  
> +	  http://selinuxproject.org/page/Main_Page

Is a target variant of this package really needed? In the context of
Buildroot and cross-compilation, I would expect the policy to be
written on the development machine, the compilation to happen on the
development machine, and only the resulting binary copied to the target.

We generally don't support "development" on the target, and we expect
the system generated by Buildroot to be ready to use. I am not familiar
with SELinux at all, but my understanding is that this Buildroot policy
should translate into just the SELinux binary policy to be installed on
the target, the compiler being kept on the host.

Other comments below.

> diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
> new file mode 100644
> index 0000000..e61e053
> --- /dev/null
> +++ b/package/checkpolicy/checkpolicy.mk
> @@ -0,0 +1,71 @@
> +#############################################################
> +#
> +# checkpolicy
> +#
> +#############################################################

80 dashes, empty line missing.

> +CHECKPOLICY_VERSION = 2.1.12
> +CHECKPOLICY_SOURCE = checkpolicy-$(CHECKPOLICY_VERSION).tar.gz

Not needed, that's the default.

> +CHECKPOLICY_SITE = http://userspace.selinuxproject.org/releases/20130423/
> +CHECKPOLICY_LICENSE = GPLv2

Really GPLv2, not GPLv2+ ?

> +CHECKPOLICY_LICENSE_FILES = COPYING
> +
> +##############################
> +# Target Section
> +##############################

We can remove this comment.

> +CHECKPOLICY_DEPENDENCIES = host-flex host-bison libselinux flex

So flex is needed both on the target, and at runtime?

> +
> +CHECKPOLICY_INSTALL_STAGING = YES
> +CHECKPOLICY_INSTALL_TARGET = YES

Last line not needed, that's the default.

> +
> +CHECKPOLICY_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) \
> +	LEX="$(HOST_DIR)/usr/bin/flex" \
> +	YACC="$(HOST_DIR)/usr/bin/bison -y"
> +
> +define CHECKPOLICY_BUILD_CMDS
> +	$(MAKE) -C $(@D) $(CHECKPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define CHECKPOLICY_INSTALL_STAGING_CMDS
> +	$(MAKE) -C $(@D) install $(CHECKPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
> +endef
> +
> +define CHECKPOLICY_INSTALL_TARGET_CMDS
> +	$(MAKE) -C $(@D) install $(CHECKPOLICY_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
> +endef
> +
> +define CHECKPOLICY_CLEAN_CMDS
> +	$(MAKE) -C $(@D) clean
> +endef
> +
> +define CHECKPOLICY_UNINSTALL_STAGING_CMDS
> +	rm -f $(STAGING_DIR)/usr/bin/checkpolicy
> +	rm -f $(addprefix $(STAGING_DIR)/usr/man/man8/,$(notdir $(wildcard $(@D)/*.8)))
> +endef
> +
> +define CHECKPOLICY_UNINSTALL_TARGET_CMDS
> +	rm -f $(TARGET_DIR)/usr/bin/checkpolicy
> +endef

You can get rid of uninstall commands.

> +##############################
> +# Host Section
> +##############################

Comment not needed.

> +HOST_CHECKPOLICY_DEPENDENCIES = host-libselinux host-flex host-bison
> +
> +HOST_CHECKPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
> +	LEX="$(HOST_DIR)/usr/bin/flex" \
> +	YACC="$(HOST_DIR)/usr/bin/bison -y"
> +
> +define HOST_CHECKPOLICY_BUILD_CMDS
> +	$(MAKE) -C $(@D) $(HOST_CHECKPOLICY_MAKE_CMDS) DESTDIR=$(HOST_DIR)
> +endef
> +
> +define HOST_CHECKPOLICY_INSTALL_CMDS
> +	$(MAKE) -C $(@D) install $(CHOST_HECKPOLICY_MAKE_CMDS) DESTDIR=$(HOST_DIR)
> +endef
> +
> +define HOST_CHECKPOLICY_CLEAN_CMDS
> +	$(MAKE) -C $(@D) clean
> +endef
> +
> +$(eval $(generic-package))
> +$(eval $(host-generic-package))

Thanks,

Thomas
Clayton Shotwell - Sept. 9, 2013, 5:33 p.m.
Thomas,

Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on 09/06/2013 
12:56:09 PM:
> Is a target variant of this package really needed? In the context of
> Buildroot and cross-compilation, I would expect the policy to be
> written on the development machine, the compilation to happen on the
> development machine, and only the resulting binary copied 
> to the target.
> 
> We generally don't support "development" on the target, 
> and we expect
> the system generated by Buildroot to be ready to use. I am
> not familiar
> with SELinux at all, but my understanding is that this 
> Buildroot policy
> should translate into just the SELinux binary policy to be
> installed on
> the target, the compiler being kept on the host.

Very good point and I agree completely.  This package is used to compile 
the SELinux policy from source and that should only be done on the host. I 
will go ahead and remove the target build commands and Config.in file to 
keep this a host only utility. 

> > +CHECKPOLICY_SITE = http://userspace.selinuxproject.org/
> releases/20130423/
> > +CHECKPOLICY_LICENSE = GPLv2
> 
> Really GPLv2, not GPLv2+ ?

Yes, just GPLv2 per most of the headers.  Several source files contain no 
license information and there are a couple that contain a LGPLv2.1+.  I am 
going to consider everything under the GPLv2 since that is the most 
restrictive license. 

Thanks,
Clayton

Clayton Shotwell
Software Engineer
clshotwe@rockwellcollins.com
www.rockwellcollins.com
Arnout Vandecappelle - Sept. 11, 2013, 4:44 p.m.
On 09/09/13 19:33, Clayton Shotwell wrote:
> Thomas,
>
> Thomas Petazzoni <thomas.petazzoni@free-electrons.com> wrote on
> 09/06/2013 12:56:09 PM:
>  > Is a target variant of this package really needed? In the context of
>  > Buildroot and cross-compilation, I would expect the policy to be
>  > written on the development machine, the compilation to happen on the
>  > development machine, and only the resulting binary copied
>  > to the target.
>  >
>  > We generally don't support "development" on the target,
>  > and we expect
>  > the system generated by Buildroot to be ready to use. I am
>  > not familiar
>  > with SELinux at all, but my understanding is that this
>  > Buildroot policy
>  > should translate into just the SELinux binary policy to be
>  > installed on
>  > the target, the compiler being kept on the host.
>
> Very good point and I agree completely.  This package is used to compile
> the SELinux policy from source and that should only be done on the host.
> I will go ahead and remove the target build commands and Config.in file
> to keep this a host only utility.

  Note: you'll probably want to add a Config.in.host for this package, so 
people can select it in their config and use it in a post-build script.

  In the long term, it is probably also a good idea to have a 
system-level SELinux menu where you can specify some policy files to be 
put on the target, and buildroot will compile and install them for you.

  Regards,
  Arnout
Thomas Petazzoni - Sept. 12, 2013, 7:17 a.m.
Dear Arnout Vandecappelle,

On Wed, 11 Sep 2013 18:44:08 +0200, Arnout Vandecappelle wrote:

>   Note: you'll probably want to add a Config.in.host for this
> package, so people can select it in their config and use it in a
> post-build script.
> 
>   In the long term, it is probably also a good idea to have a 
> system-level SELinux menu where you can specify some policy files to
> be put on the target, and buildroot will compile and install them for
> you.

I agree. Usage of SELinux is such a system-wide thing that we might
need an entry for it in the "System configuration" menu for example.

But well, let's get the packages merged first, and we'll work together
to see how to polish the integration.

Best regards,

Thomas

Patch

diff --git a/package/Config.in b/package/Config.in
index b6b3cec..5c4adb9 100644
--- a/package/Config.in
+++ b/package/Config.in
@@ -898,6 +898,7 @@  source "package/xmlstarlet/Config.in"
 endmenu
 
 menu "Security"
+source "package/checkpolicy/Config.in"
 source "package/libsepol/Config.in"
 source "package/libselinux/Config.in"
 source "package/libsemanage/Config.in"
diff --git a/package/checkpolicy/Config.in b/package/checkpolicy/Config.in
new file mode 100644
index 0000000..2c4819f
--- /dev/null
+++ b/package/checkpolicy/Config.in
@@ -0,0 +1,11 @@ 
+config BR2_PACKAGE_CHECKPOLICY
+	bool "checkpolicy"
+	select BR2_PACKAGE_FLEX
+	help
+	  checkpolicy is the policy compiler. It uses libsepol to 
+	  generate the binary policy. checkpolicy uses the static 
+	  libsepol since it deals with low level details of the policy 
+	  that have not been encapsulated/abstracted by a proper 
+	  shared library interface. 
+	  
+	  http://selinuxproject.org/page/Main_Page
diff --git a/package/checkpolicy/checkpolicy.mk b/package/checkpolicy/checkpolicy.mk
new file mode 100644
index 0000000..e61e053
--- /dev/null
+++ b/package/checkpolicy/checkpolicy.mk
@@ -0,0 +1,71 @@ 
+#############################################################
+#
+# checkpolicy
+#
+#############################################################
+CHECKPOLICY_VERSION = 2.1.12
+CHECKPOLICY_SOURCE = checkpolicy-$(CHECKPOLICY_VERSION).tar.gz
+CHECKPOLICY_SITE = http://userspace.selinuxproject.org/releases/20130423/
+CHECKPOLICY_LICENSE = GPLv2
+CHECKPOLICY_LICENSE_FILES = COPYING
+
+##############################
+# Target Section
+##############################
+CHECKPOLICY_DEPENDENCIES = host-flex host-bison libselinux flex
+
+CHECKPOLICY_INSTALL_STAGING = YES
+CHECKPOLICY_INSTALL_TARGET = YES
+
+CHECKPOLICY_MAKE_CMDS = $(TARGET_CONFIGURE_OPTS) \
+	LEX="$(HOST_DIR)/usr/bin/flex" \
+	YACC="$(HOST_DIR)/usr/bin/bison -y"
+
+define CHECKPOLICY_BUILD_CMDS
+	$(MAKE) -C $(@D) $(CHECKPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define CHECKPOLICY_INSTALL_STAGING_CMDS
+	$(MAKE) -C $(@D) install $(CHECKPOLICY_MAKE_CMDS) DESTDIR=$(STAGING_DIR)
+endef
+
+define CHECKPOLICY_INSTALL_TARGET_CMDS
+	$(MAKE) -C $(@D) install $(CHECKPOLICY_MAKE_CMDS) DESTDIR=$(TARGET_DIR)
+endef
+
+define CHECKPOLICY_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+define CHECKPOLICY_UNINSTALL_STAGING_CMDS
+	rm -f $(STAGING_DIR)/usr/bin/checkpolicy
+	rm -f $(addprefix $(STAGING_DIR)/usr/man/man8/,$(notdir $(wildcard $(@D)/*.8)))
+endef
+
+define CHECKPOLICY_UNINSTALL_TARGET_CMDS
+	rm -f $(TARGET_DIR)/usr/bin/checkpolicy
+endef
+
+##############################
+# Host Section
+##############################
+HOST_CHECKPOLICY_DEPENDENCIES = host-libselinux host-flex host-bison
+
+HOST_CHECKPOLICY_MAKE_CMDS = $(HOST_CONFIGURE_OPTS) \
+	LEX="$(HOST_DIR)/usr/bin/flex" \
+	YACC="$(HOST_DIR)/usr/bin/bison -y"
+
+define HOST_CHECKPOLICY_BUILD_CMDS
+	$(MAKE) -C $(@D) $(HOST_CHECKPOLICY_MAKE_CMDS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_CHECKPOLICY_INSTALL_CMDS
+	$(MAKE) -C $(@D) install $(CHOST_HECKPOLICY_MAKE_CMDS) DESTDIR=$(HOST_DIR)
+endef
+
+define HOST_CHECKPOLICY_CLEAN_CMDS
+	$(MAKE) -C $(@D) clean
+endef
+
+$(eval $(generic-package))
+$(eval $(host-generic-package))